A serious security flaw in the Keras deep learning library could let attackers overwrite files on your Windows machine when you download and automatically extract machine learning models or datasets. The vulnerability, tracked as CVE-2025-12638, has been patched in Keras 3.12.0, and every user who runs automatic extraction of tar archives with Keras should upgrade immediately.
What Happened — The Extraction Bug in Detail
The problem lives inside keras.utils.get_file, a helper function that fetches remote files and optionally unpacks them. When called with extract=True on a .tar or .tar.gz file, Keras historically relied on Python’s tarfile.extractall without enabling the safer extraction filters that Python introduced in version 3.12. That omission meant a carefully crafted tarball could place files outside the intended cache directory — a classic path traversal attack, sometimes called ZipSlip in the security community.
The weakness didn’t operate in isolation. It interacted with a separate bug in Python’s own tarfile module, tracked as CVE-2025-4517, where symlink resolution and path‑length edge cases could bypass even the new filters. Together, these two issues created a scenario where Keras’s pre‑extraction checks were not enough to stop a malicious archive from escaping the cache folder and writing to system locations.
Keras versions 3.0.0 through 3.11.3 are affected. The fix — a centralized, hardened extraction routine that uses Python’s filter="data" option and adds extra runtime checks — landed in Keras 3.12.0. The change replaces direct archive.extractall() calls with a guarded helper that blocks dangerous paths, symlinks, and hard links.
What This Means for Windows Users, Developers, and IT Admins
For Data Scientists and Hobbyists Running Notebooks on Windows
If you’ve ever run a script that calls keras.utils.get_file("https://some-url.com/model.tar.gz", extract=True), your machine could be at risk. An attacker who controls the remote file can drop malware into your Startup folder, overwrite application configuration files, or corrupt data. The convenience of one‑line model downloads suddenly becomes an open door.
For Software Developers and DevOps Engineers
CI/CD pipelines that auto‑fetch and extract tar archives — for training datasets, pretrained weights, or any ML artifact — are high‑value targets. An attacker who poisons such a pipeline could inject malicious code into builds, infect downstream services, or pivot to other systems. Even if your production environment runs Linux, Windows build agents and developer workstations are equally exposed.
For IT Security Teams
This is a supply‑chain risk that echoes past ZipSlip flaws in other libraries. The vulnerability is present on any Windows system where Keras is installed and where extraction of untrusted archives occurs automatically. Scanning for Keras versions below 3.12.0 across your environment should be a priority, and you should look for unexpected file creation events from Python processes in system folders.
The practical impact ranges from unauthorized file disclosure to complete remote code execution if the attacker writes executable content to a directory that gets executed later — a Startup folder, a scheduled task, or a service binary path.
How We Got Here: Convenience vs. Security in ML Workflows
Keras’s get_file was designed for reproducibility. Fetching remote assets on first use lets researchers share code without bundling large model files. The extraction feature saved time and reduced manual steps. Unfortunately, the underlying Python tarfile module didn’t enforce secure extraction by default before Python 3.12, and many libraries, including Keras, inherited that relaxed handling.
The chain of events that led to CVE-2025-12638 includes:
- Python < 3.12 relied on developers manually sanitizing archive member paths during extraction. Few did.
- Python 3.12 introduced the
filterparameter fortarfile.extractall, but it was opt‑in; libraries had to explicitly choose a safe filter. - Keras’s pre‑extraction filtering (checking for
../patterns) was never sufficient on its own, because symlinks and path‑length quirks could circumvent those checks. - The Python bug CVE-2025-4517 exposed a deeper flaw in how
realpathresolves long or symlinked paths, enabling filter bypass in some versions even when the filter was set.
Microsoft’s Security Response Center assigned a CVE to the Keras vulnerability, though the advisory page is brief. The industry‑wide response has been to patch both Keras and the affected Python builds. Many Linux distributions have published updated Python packages; on Windows, you should ensure you’re running a Python version that includes the tarfile fix if you use Python 3.12 or later, and always upgrade Keras to 3.12.0.
What to Do Now: A Step‑by‑Step Remediation Checklist
1. Upgrade Keras Immediately
Open a command prompt or PowerShell (as administrator if needed) and run:
pip install --upgrade keras>=3.12.0
Verify the upgrade inside a Python shell:
import keras
print(keras.__version__)
This should show 3.12.0 or higher. Repeat on all machines, build agents, and container images where Keras is present.
2. Check Your Python Version and Apply Vendor Patches
If you use Python 3.12 or 3.13 (where the new tarfile filter feature exists), confirm you have a patched build. For the official Python for Windows, download the latest installer from python.org. For Anaconda or Miniconda, update with:
conda update python
Even if you can’t immediately patch Python, upgrading Keras alone reduces the risk because the fix adds its own path‑enforcement logic. However, for full protection, address both layers.
3. Audit Code and Pipelines for Automatic Extraction
Search your codebase and CI definitions for calls to get_file with extract=True. Replace these patterns with explicit, safe extraction steps:
- Download the archive.
- Optionally scan it with antivirus.
- Use the patched Keras extraction (which is now safe) or implement a custom safe extractor that rejects symlinks and enforces absolute‑path confinement.
- Move extracted files to the target directory only after integrity checks.
For Windows‑centric teams, a simple PowerShell snippet can help locate the vulnerable pattern across scripts:
Select-String -Path ".\*.py",".\*.ipynb" -Pattern "get_file.*extract\s*=\s*True" -List
4. Harden the Runtime Environment
- Run Python processes under a dedicated user account with minimal write permissions to system folders.
- If possible, perform extraction inside a Windows Sandbox or a container that cannot access host configuration paths.
- Apply AppLocker or WDAC rules to restrict which directories Python can write to, or use Controlled Folder Access to block writes to protected folders.
5. Monitor for Suspicious Activity
Enable logging of file creation events in critical directories (C:\Windows, C:\Program Files, C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). In Advanced Audit Policies, turn on “Audit File System” for those paths. Forward events to a SIEM and create alerts for:
- File creation by python.exe or pythonw.exe in system folders.
- Keras extraction warnings (the patched version logs “Skipping invalid path during archive extraction” when it blocks an attack).
- Unexpected network downloads immediately followed by file writes outside the keras cache (~/.keras by default).
Sample Event ID to watch: 4663 (an attempt to access an object). Use the process name and file path filters.
Outlook: Securing the AI Pipeline on Windows
CVE-2025-12638 is a reminder that every convenience function in an ML framework can become an attack surface. The combination of a library‑level slip and an interpreter‑level bug created a gap that persisted across thousands of systems. Keras maintainers reacted quickly, and the fix is straightforward to apply. But the operational debt — auditing old notebooks, updating pinned dependencies, and retraining detection rules — will take time.
Going forward, expect more scrutiny on the download‑and‑extract patterns common in AI tooling. The industry is moving toward zero‑trust supply chains, where every artifact is signed and every unpacking is sandboxed. For Windows users, that means treating model files and datasets with the same skepticism as email attachments. The patch is here; the rest is up to you.